git: 4672adcea4cf - main - nfs_commonsubs.c: Add a sanity check for nid_ngroup
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Oct 2025 14:47:29 UTC
The branch main has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=4672adcea4cf3c0c626d186f1f41c69552d915f1
commit 4672adcea4cf3c0c626d186f1f41c69552d915f1
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-28 14:44:14 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-28 14:44:14 +0000
nfs_commonsubs.c: Add a sanity check for nid_ngroup
The nfsuserd(8) daemon passes user credentials
(uid + gids) into the kernel for users and groups
identified by name (received from a NFSv4 server).
This patch add a sanity check for the number of
groups (nid_ngroup) passed in.
It's only purpose is to protect against a bogus
nfsuserd(8) running in a jail.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53389
---
sys/fs/nfs/nfs_commonsubs.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index 8d506a5643a9..8e1a26eef354 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -4192,10 +4192,15 @@ nfssvc_idname(struct nfsd_idargs *nidp)
nidp->nid_namelen);
if (error == 0 && nidp->nid_ngroup > 0 &&
(nidp->nid_flag & NFSID_ADDUID) != 0) {
- grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
- M_WAITOK);
- error = copyin(nidp->nid_grps, grps,
- sizeof(gid_t) * nidp->nid_ngroup);
+ grps = NULL;
+ if (nidp->nid_ngroup > NGROUPS_MAX)
+ error = EINVAL;
+ if (error == 0) {
+ grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
+ M_WAITOK);
+ error = copyin(nidp->nid_grps, grps,
+ sizeof(gid_t) * nidp->nid_ngroup);
+ }
if (error == 0) {
/*
* Create a credential just like svc_getcred(),